>
    Configure DPDK on CN-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. High Availability and DPDK Support for CN-Series Firewall
    4. Configure DPDK on CN-Series Firewall
    Download PDF
    CN-Series

    Configure DPDK on CN-Series Firewall

    Table of Contents

    Configure DPDK on CN-Series Firewall

    Data Plane Development Kit (DPDK) provides a simple framework for fast packet processing in dataplane applications.
    Where Can I Use This?What Do I Need?
    • CN-Series deployment
    • CN-Series 10.2.x or above Container Images
    • Panorama running PAN-OS 10.2.x or above version
    • Helm 3.6 or above version client
    Data Plane Development Kit (DPDK) provides a simple framework for fast packet processing in dataplane applications.
    DPDK mode is supported on CN-Series Firewall as a Kubernetes Container Network Function (CNF) only.
    DHCP IPAM is not supported in DPDK mode.

    System Requirements

    To run a DPDK application, you must make the following customizations on your target machine.
    • Kernel Configuration—Enable the HUGETLBFS option in the host OS kernel.
    • KNI and UIO/VFIO—Insert KNI and UIO/VFIO in the host OS kernel.
    • Hugepages
      1. Reserve hugepages
        • Reserve hugepages during runtime, before the pods starts. Add the number of hugepages required to the nr_hugepages file in the /sys/kernel/ directory corresponding to a specific page size (in KB). For example, use the following command for a single-node system if 1024 of 2M pages are required.
          echo 1024 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
        • Reserve hugepages during boot. For example, to reserve hugepage of memory 4G as four 1G pages, the following options should be passed to the kernel.
          default_hugepagesz=1G hugepagesz=1G hugepages=4
      2. Use hugepages with DPDK—Create mount points for hugepages because PanOS 10.2 uses DPDK secondary processes.
        The following is a sample command to create hugepage of size 1 GB for DPDK use.
        mkdir /mnt/huge
mount -t hugetlbfs pagesize=1GB /mnt/huge
      3. Restart the kubelet service on the host after enabling hugepages using the following command. 
        sudo systemctl restart kubelet
      4. Check /sys/fs/cgroup/hugetlb/kubepods.slice/hugetlb.2MB.limit_in_bytes to make sure the size matches the hugepage size. If the size does not match the hugepage size, update the size using the following command.
        echo 2147483648 > /sys/fs/cgroup/hugetlb/kubepods.slice/hugetlb.2MB.limit_in_bytes
        In a pod, applications can allocate and consume pre-allocated hugepages of multiple sizes. Applications consume hugepages through container level resource requirements using resource name hugepages-<size>. For example, hugepages-2Mi or hugepages-1Gi.
        Unlike CPU or memory, hugepages do not support over commit.
        Privileged mode is enabled to access host device space. To list and bind network devices to a container, mount /sys to the container so that DPDK can access files within the directory.
        Following is a code snippet to enable hugepages on DPDK.
        requests:
    cpu: "1"
    memory: "4Gi"
    hugepages-2Mi: 4Gi
limits:
    cpu: "1"
    memory: "4Gi"
    hugepages-2Mi: 4Gi
volumeMounts:
    - mountPath: /sys
      name: sys
    - mountPath: /dev
      name: dev
    - mountPath: /dev/shm
      name: dshm
    - mountPath: /run/tmp
      name: hosttmp
    - mountPath: /etc/pan-fw-sw
      name: sw-secret
    envFrom:
    - configMapRef:
        name: pan-ngfw-config-0
    env:
        - name: CPU_REQUEST
          valueFrom:
            resourceFieldRef:
              containerName: pan-ngfw-container
              resource: requests.cpu
        - name: CPU_LIMIT
          valueFrom:
            resourceFieldRef:
              containerName: pan-ngfw-container
              resource: limits.cpu
        - name: MEMORY_REQUEST
          valueFrom:
            resourceFieldRef:
              containerName: pan-ngfw-container
              resource: requests.memory
        - name: MEMORY_LIMIT
          valueFrom:
            resourceFieldRef:
              containerName: pan-ngfw-container
              resource: limits.memory
        - name: MY_POD_UUID
          valueFrom:
            fieldRef:
              fieldPath: metadata.uid
        - name: MY_NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        - name: MY_POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: MY_POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: MY_POD_SERVICE_ACCOUNT
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
        - name: MY_POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
volumes:
    - name: sys
      hostPath:
        path: /sys
    - name: dev
      hostPath:
        path: /dev
    - name: hosttmp
      hostPath:
        path: /tmp/pan
    - name: dshm
      emptyDir:
        medium: Memory
    - name: sw-secret
      secret:
        secretName: pan-fw-sw
    • NUMA and CPU Pinning—Multiple DPDK process cannot run on the same core because it causes memory pool cache corruption among other issues. The secondary processes are pinned to a different core. Use CPU pinning options in configmap to control secondary processes.
    • Config and Pod Changes
      • Enable PAN_DATA_MODE: "dpdk" in pan-cn-ngfw-configmap-0.yaml and pan-cn-ngfw-configmap-1.yaml.
        DPDK is not the default mode for CN-Series-as-a-kubernetes-CNF.
      • Match the #HUGEPAGE_MEMORY_REQUEST parameter with the hugepage memory request in pan-cn-ngfw-configmap-0.yaml and pan-cn-ngfw-configmap-1.yaml.
        If the hugepage memory is not available, it defaults to MMAP.
    For more information, see DPDK system requirements.
    You can set up DPDK on on-premises worker nodes and AWS EKS cluster

    © 2024 Palo Alto Networks, Inc. All rights reserved.